Hackers Burrow Into Apple's Walled Garden

Uploaded on 2015-10-07 in TECHNOLOGY--Hackers, NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

 

The Apple app store is often described as a "walled garden" - a picturesque image that suggests a serene idyll, a haven from the bustle and dangers of digital life. What it means is that Apple strictly controls what makes it into the App Store, vetting each app to make sure its security (among other features) is up to scratch.

Apple has sold more than 700 million iPhones to date, according to chief executive Tim Cook, yet the App Store has proven much more secure than the Android app ecosystem, because the latter doesn't have a single quality control system.
So the news that the walled garden has a rather nasty infestation is important. Several Chinese apps were discovered to contain code that could steal user information.

Apple has removed them, but these weren't knock-off stock or weather apps deliberately created to attack private information. Instead, several blue chip apps were stealthily compromised.  WeChat, China's answer to Whatsapp, was among them: it has around half a billion users.

Tencent, which owns WeChat, said its initial investigation had not shown that any of its users' information had been stolen.
Apple's reputation for security will probably survive, even if the walls of its garden could maybe do with a lick of paint. Given the number of iPhones Apple continues to shift, some sort of security breach was inevitable, and the Cupertino-based company has acted swiftly.

The fact that Chinese apps were infected is interesting for two reasons:

First, China is on track to become Apple's biggest market: it sold more iPhones there than in the US, according to its latest results. That makes iPhone users in China a bigger target, to criminals and perhaps others.

Secondly, this attack was more sophisticated than making a dodgy iPhone app, then hoping it makes it through the App Store (which has happened in isolated cases), and then that people download it.

Instead, they came up with a fake version of developer tool XCode, and tricked app developers into using it to build their apps. So the legitimate app developers were building apps from code that had already been compromised.
It's very elegant attack, one that requires skill and resources. It's also an approach the CIA considered, according to The Intercept, in a report based on documents supplied by Edward Snowden.

The Chinese government has long taken a keen interest in its citizens' Internet activities.
Identifying who's behind a hack is incredibly difficult. But Apple's success exposes it to some of the most motivated and best-funded hackers in the world, be they criminals or nation states, both in China and the rest of the world.
It might have to build those walls a little higher.
Sky: http://bit.ly/1Lt2GAJ

« Six Emerging CyberSecurity Risks
21 Announces the Bitcoin Computer »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Information Risk Management (IRM)

Information Risk Management (IRM)

IRM is an international consultancy dedicated to helping organisations solve key business issues. We provide strategic cyber security advice across a wide range of sectors.

44CON

44CON

44CON is an Information Security Conference & Training event taking place in London. Designed to provide something for the business and technical Information Security professional.

Computer & Communications Industry Association (CCIA)

Computer & Communications Industry Association (CCIA)

CCIA supports efforts to facilitate and streamline information sharing on cyber threats between the private sector and the Federal Government.

ID Experts

ID Experts

ID Experts is a leading provider of identity protection and data breach services for companies and individuals throughout the USA.

NinjaJobs

NinjaJobs

NinjaJobs is a community-run job platform developed by information security professionals. We focusing strictly on cybersecurity positions.

SixThirty CYBER

SixThirty CYBER

SixThirty is a venture fund that invests in early-stage enterprise technology companies from around the world building FinTech, InsurTech, and Cybersecurity solutions.

ISARR

ISARR

The ISARR software platform - your bespoke Risk, Resilience & Security Management solution. Simple, cost effective and adaptable, now and into the future.

Loki Labs

Loki Labs

Loki Labs provides expert cyber security solutions and services, including vulnerability assessments & penetration testing, emergency incident response, and managed security.

Ethyca

Ethyca

Ethyca builds automated data privacy infrastructure and tools for developers and privacy teams to easily build products that comply with GDPR, CCPA Privacy Regulations.

Network Utilities (NetUtils)

Network Utilities (NetUtils)

Network Utilities provide identity centric network and security solutions to organisations from Telecoms and ISPs to SMEs and large corporates.

Gray Analytics

Gray Analytics

Gray Analytics is a Cybersecurity Risk Management company providing best-practice services across a broad spectrum of cyber scenarios for both government and commercial customers.

Tego Cyber

Tego Cyber

Tego Cyber delivers a state-of-the-art threat intelligence platform that helps enterprises deploy the proper resolution to an identified threat before the enterprise is compromised.

Beyon Cyber

Beyon Cyber

Beyon Cyber offer a complete portfolio of advanced solutions & services for cyber security in Bahrain.

EkoCyber

EkoCyber

EkoCyber partner with businesses as a value-added MSSP to provide top-tier, trusted and transparent cyber security services at an affordable price point.

DIGISOC

DIGISOC

DIGISOC, a leader in Latin America in Cybersecurity solutions, combines machine learning with human intelligence to be effective in detecting cyber threats.

coc00n

coc00n

coc00n secures the devices of high-value and high-interest individuals against cyber attacks.